Skip to content

Releases: JAugusto42/sandtrap

v0.1.8

Choose a tag to compare

@github-actions github-actions released this 06 Jul 03:21

sandtrap v0.1.8

Behavioral supply chain scanner for npm and PyPI. Sandtrap downloads each
dependency and inspects what the code actually does — install hooks,
obfuscation, exfiltration primitives, credential-store access — instead of
matching known-bad lists, which are blind to hijacked releases of legitimate
packages (the axios, Trivy and Shai-Hulud worm cases).

Calibrated against ~2,500 packages from real production lockfiles across three
codebases. Zero external dependencies: pure Go standard library.

Install

go install github.com/JAugusto42/sandtrap/cmd/sandtrap@latest
# or download a prebuilt binary below (linux/darwin/windows · amd64/arm64)

Quick start

sandtrap scan .                                   # scan a project's lockfiles
sandtrap check npm axios@1.12.0                    # vet a single package
sandtrap scan --write-baseline .                   # accept reviewed findings
sandtrap scan --fail-on high --format sarif --output sandtrap.sarif .

Highlights since first release

  • Detection engine — five behavioral rules (install-scripts, obfuscation,
    exfiltration, credential-access, fresh-publish) with per-rule score
    aggregation and severity tiers.
  • Precision — engineered against real false-positive classes: compiler
    output (dart2js banners, minified bundles, inline sourcemaps/data-URIs),
    decode-without-execute data tables, npm aliases, documentation IPs and test
    fixtures. Popular benign packages scan clean.
  • Lockfiles — package-lock.json (v1/v2/v3), yarn.lock (classic + berry,
    including npm: aliases), requirements.txt.
  • Baseline workflow (.sandtrap.json) — accept known behavior once; CI
    then fails only on NEW behavior, the signature of a hijacked release.
    Entries pin exact versions so upgrades force re-review.
  • Output — human terminal, structured JSON report (with a rule catalog
    carrying remediation), and SARIF 2.1.0 for

v0.1.7

Choose a tag to compare

@github-actions github-actions released this 06 Jul 03:16

Full Changelog: v0.1.6...v0.1.7

v0.1.6

Choose a tag to compare

@github-actions github-actions released this 06 Jul 03:06